Enhancing Security by Using Remote Access Account Lockout

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To prevent dictionary attacks on remote server accounts, you can use remote access account lockout. When deciding whether or not to use remote access account lockout, remember that if you enable remote access account lockout, a malicious user can intentionally attempt multiple authentications for a user account to force the account to be locked out, thereby preventing the authorized user from being able to create a remote access connection.

Remote access account lockout is configured in the registry in Windows Server 2003. It is not related to the account lockout policy for domain or local user accounts.

To enable remote access account lockout, modify the following subkey in the registry on the server that authenticates remote access requests:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess \Parameters\AccountLockout

If the remote access server is configured for Windows authentication, modify the registry on that server. If the remote access server is configured for RADIUS authentication, and you are using IAS, modify the registry on the IAS server.

For more information about modifying the AccountLockout subkey, see "Configuring Remote Access Account Lockout for a VPN Solution" later in this chapter.

Caution

  • Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry reference on the Microsoft® Windows® Server 2003 Deployment Kit companion CD or at https://www.microsoft.com/reskit.

If your organization is using smart cards, the smart card manufacturer controls account lockout for personal identification numbers (PINs) that are not valid. Recovery from account lockout as a result of an invalid PIN might require smart card replacement.

For more information about remote access account lockout, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).